New vulnerability in regular Windows antivirus is fixed

29 May 2017
A new vulnerability was discovered by Travis Ormandy, a member of Google's Project Zero research project. This is not the first finding on his account. Last month he also discovered a hole in Microsoft's antivirus, which he publicly announced before sending the information to the company, prompting a barrage of criticism. The vulnerability Ormandy discovered allowed an application running in the antivirus emulator to take control of it and perform various operations, such as launching malicious code when Windows Defender checks a file it received via email: "The Windows Defender engine, MsMpEng, has its own x86 system emulator, which is used to run suspicious files. In doing so, the emulator runs as an NT AUTHORITY\SYSTEM service and is not a sandbox (an isolated environment for running code). Looking through the list of supported APIs, I found ntdll!NtControlChannel element which allows the code launched into the emulator to get control over it. The emulator's task is to emulate the client CPU, but Microsoft gave it additional instructions which let it access the API directly. Why Microsoft created such instructions remains a mystery," Ormandy wrote. Several security experts have already criticized Microsoft for not sandboxing the emulator, as this makes the entire system potentially vulnerable. The vulnerability in MsMpEng was discovered May 12 by Google's Project Zero team, and last week Microsoft sent out a patch to close it, although it was not announced. The anti-virus engine is regularly updated automatically, which means most users are already out of the risk group.